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►      Improving  electronic  access  controls. 
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EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Office  of  the  Legislative  Auditor 
are  designed  to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over 
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performing  the  audit  work,  the  audit  staff  uses  audit  standards  set  forth  by  the  United  States 
General  Accounting  Office. 
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Areas  of  expertise  include  business  and  public  administration  and  computer  science. 
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financial-compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are 
done  under  the  oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and 
bipartisan  standing  committee  of  the  Montana  Legislature.  The  committee  consists  of  four 
members  of  the  Senate  and  four  members  of  the  House  of  Representatives. 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  our  EDP  audit  of  controls  relating  to  The  Economic  Assistance 
Management  System  (TEAMS)  operated  by  the  Department  of  Social  and  Rehabili- 
tation Services.   We  reviewed  the  department's  general  controls  related  to  the 
mainframe  computer  environment  which  processes  TEAMS.   In  addition,  we 
reviewed  application  controls  related  to  the  TEAMS  application.   This  report 
contains  recommendations  for  improving  EDP  controls  related  to  TEAMS.   The 
department's  written  response  to  audit  recommendations  is  included  in  the  back  of 
the  report. 

We  thank  the  director  and  department  personnel  for  their  cooperation  and 
assistance  throughout  the  audit. 
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Report  Summary 


Introduction 


Our  EDP  audit  evaluated  the  controls  of  The  Economic  Assis- 
tance Management  System  (TEAMS)  operated  by  the  Department 
of  Social  and  Rehabilitation  Services  (SRS).   We  reviewed  the 
adequacy  of  SRS's  implementation  of  general  and  application 
controls  as  they  relate  to  TEAMS.   A  discussion  of  general  and 
application  controls  is  included  on  pages  1  and  2.   The  objectives 
and  scope  of  this  audit  are  discussed  on  pages  2  and  3  of  the 
report. 


General  Controls 


In  our  review  of  the  general  controls  over  TEAMS'  mainframe 
computer  environment,  we  found  organizational,  procedural, 
hardware,  system  software,  system  development,  and  physical 
access  controls  were  adequate.   However,  we  noted  weaknesses  in 
electronic  access  controls. 


Electronic  Access 
Controls 


Electronic  access  controls  ensure  access  to  computer  tapes  and 
hardware  is  limited  to  authorized  personnel.   SRS  uses  access 
control  software  called  Access  Control  Facility-2  (ACF2)  to 
control  electronic  access  to  TEAMS  programs  and  data  stored  on 
the  mainframe  computer.   ACF2  controls  access  through  elec- 
tronic rules  which  allow  or  prevent  user  access.   In  addition,  the 
department  controls  access  through  security  programs  within  the 
TEAMS  application  which  control  access  to  specific  screens. 


SRS  Should  Restrict 
Access  to  Production 
Programs  and  Data 


We  determined  Department  of  Administration  programmers  and 
TEAMS  programmers  have  unlogged  write  access  to  TEAMS 
production  programs  and  data.   Write  access  allows  programmers 
to  access  and  make  unauthorized  program  changes,  or  delete 
entire  production  programs  and  data.   If  unlogged,  there  is  no 
record  of  programmer  access. 


Industry  standards  state  programmers  do  not  need  access  to 
system  or  application  libraries,  which  would  provide  a  means  of 
bypassing  controls.  Their  activities  should  be  restricted  to  test 
programs  and  files,  with  access  only  to  those  programs  and  files 
needed  for  a  given  assignment. 
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User  Access  Should  Agree 
to  Job  Needs 


We  reviewed  twenty  user  IDs  and  determined  eleven  users  have 
inappropriate  access  which  allows  them  to  issue  replacement 
food  stamps.   In  addition,  two  of  twenty  employees  we  reviewed 
have  access  privileges  inconsistent  with  their  current  job  duties. 


Industry  standards  suggest  management  limit  user  access  to  data 
files  required  to  process  or  maintain  particular  applications  in 
the  performance  of  their  duties.   A  person  could  inappropriately 
or  accidentally  issue  replacement  food  stamps,  view  confidential 
information,  or  make  unauthorized  changes.   The  department 
should  establish  procedures  to  ensure  all  TEAMS  user  access 
agrees  to  current  job  duties. 


Internal  Evaluations  of 
Security 


We  determined  the  department  has  not  established  a  formal 
policy  to  perform  internal  evaluations  of  security  in  accordance 
with  section  2-15-114,  MCA.   In  addition  to  addressing  security 
access  controls,  the  department  should  establish  policies  and 
procedures  which  address  safeguarding  all  data  and  information 
technology  resources,  including  microcomputer  policies  and 
program  documentation. 


Section  2-15-114,  MCA,  requires  department  heads  to  be 

".  .  .  responsible  for  assuring  an  adequate  level  of  security  for  all 

data  and  information  technology  resources  within  his  department 

and  shall  ...   (4)  ensure  internal  evaluations  of  the  security 

program  for  data  and  information  technology  resources  are 

conducted." 

We  believe  the  access  control  issues  we  identified  resulted 
because  the  department  does  not  have  formal  policies  and 
procedures  for  internal  evaluations  of  security.   Department 
personnel  indicated  they  were  not  aware  of  the  state  law,  but 
responded  they  would  develop  policies  and  procedures  to  address 
the  identified  issues. 
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TEAMS 


TEAMS  is  an  on-line  computer  application  which  determines 
AFDC,  Food  Stamp,  and  Medicaid  client  eligibility  during  the 
client  interview.   We  performed  an  application  review  of 
TEAMS.   Overall,  we  concluded  the  controls  over  TEAMS  are 
adequate  to  provide  data  integrity.    However,  we  found  areas 
where  the  controls  could  be  improved  to  further  ensure  the 
security  and  integrity  of  the  data. 


Input  Procedures 


Caseworkers  enter  information  to  TEAMS  from  the  client 
prepared  application.   We  found  TEAMS  properly  determines 
eligibility  and  calculates  benefits  based  on  information  entered 
from  the  application.   However,  we  identified  several  instances 
where  caseworkers  overlooked  applicant  information  or 
incorrectly  entered  the  information  to  TEAMS. 


Incorrect  Expenditure 
Allowances  Caused 
Improper  Benefit  Awards 


We  found  cases  where  the  caseworkers  entered  incorrect 
expenditure  allowances  to  TEAMS.   As  explained  below,  these 
errors  caused  improper  benefit  awards  for  two  of  fifty-eight 
Food  Stamp  cases  we  reviewed. 


Federal  regulations  allow  a  standard  utility  allowance  for  clients 
who  incur  utility  expenses  separate  from  rent  or  mortgage 
expenses.   If  the  client  participates  in  the  Low  Income  Energy 
Assistance  Program  (LIEAP),  they  are  automatically  entitled  to 
receive  the  standard  utility  allowance.   A  caseworker  entered  the 
standard  utility  allowance  but  the  client  did  not  incur  separate 
utility  expenses  or  participate  in  LIEAP.   As  a  result,  the  client 
received  excess  Food  Stamp  benefits  of  $60.   We  question  the 
allowability  of  $60  charged  to  the  Food  Stamp  program  (CFDA 
#10.551). 

Federal  regulations  allow  disabled  clients  actual  monthly  housing 
costs  incurred,  even  if  costs  exceed  the  maximum  shelter 
deduction.   We  determined  a  disabled  client  received  the 
maximum  shelter  deduction  when  his  actual  housing  costs  were 
more.   As  a  result,  the  client  was  underawarded  Food  Stamp 
benefits  by  $2.56. 
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Client  Information 
Incorrectly  Entered  and/or 
not  Included  on  TEAMS 


We  compared  information  on  the  client  application  to  data  input 
on  TEAMS  and  found  instances  where  information  did  not 
agree.   We  found  cases  included  incorrect  date  of  birth,  marital 
status,  social  security  numbers,  and/or  asset  values.   We  also 
found  instances  where  TEAMS  did  not  include  all  client 
information  such  as  bank  accounts  or  vehicles. 


Industry  standards  suggest  management  implement  effective 
input  controls  to  provide  complete  and  accurate  data  entry  to 
computer  applications.   Although  these  errors  did  not  affect 
eligibility  or  benefits,  the  potential  exists  that  such  errors  could 
cause  incorrect  determination  of  eligibility  and  benefit  payments 
in  the  future. 


Summary 


In  conclusion,  we  found  the  general  and  application  controls 
were  sufficient  to  ensure  the  integrity  of  data  processed  by 
TEAMS.  The  weaknesses  we  identified  could  compromise  the 
integrity  of  the  data  in  the  future.   SRS  has  acknowledged  the 
need  for  improvement  and  has  agreed  to  implement  our 
recommendations. 
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Introduction 


This  is  an  audit  of  internal  controls  relating  to  The  Economic 
Assistance  Management  System  (TEAMS)  operated  by  the 
Department  of  Social  and  Rehabilitation  Services  (SRS).   We 
performed  an  electronic  data  processing  (EDP)  audit  of  TEAMS. 
We  selected  TEAMS  because  of  the  significance  of  federal 
entitlement  expenditures  (over  $262.3  million  in  fiscal  year 
1991-92)  and  because  TEAMS  is  the  state  of  Montana's  largest 
on-line  computer  application. 


EDP  Audit  General  and 
Application  Controls 


An  EDP  audit  consists  primarily  of  a  review  of  internal  controls. 
In  an  automated  environment  the  procedures  for  reviewing  con- 
trols are  different  from  those  used  in  a  manual  environment. 
However,  the  objective  of  ensuring  the  reliability  of  controls  is 
still  the  same.    EDP  auditing  entails  performing  a  general  and  an 
application  control  review.   The  general  control  review  consists 
of  an  examination  of  the  following  controls  and  objectives: 


Organizational  -  No  one  person  should  be  able  to  conceal 
material  errors  or  irregularities. 

Procedural  -  Daily  operations  should  protect  against  processing 
errors. 

Hardware  and  Software  -  Hardware  and  systems  software  should 
identify  system  malfunctions  and  maintain  operations. 

System  Development  -  System  design  and  maintenance  activities 
should  promote  system  control  and  integrity. 

Physical  Controls  -  Loss  or  destruction  of  assets  and  records 
should  be  prevented  and  continuous  operations  should  be 
assured. 

Access  -  Access  to  hardware  and  electronic  information  should 
be  limited  to  authorized  individuals. 

A  general  control  review  provides  information  regarding  the 
ability  to  control  EDP  applications.   Application  controls  are 
specific  to  a  given  application  or  a  set  of  programs  that  accom- 
plish a  specific  objective. 
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Application  controls  consist  of  an  examination  of  the  following 
controls  and  objectives: 

Input  -  Ensure  all  data  is  properly  encoded  to  machine  form,  all 
entered  data  is  approved,  and  ail  approved  data  is  entered. 

Processing  -  Ensure  all  data  input  is  processed  as  intended. 

Output  -  All  processed  data  is  reported  and  properly  distributed 
to  authorized  individuals. 

A  review  of  the  application  documentation  and  audit  trail  is  also 
performed.   Applications  must  operate  within  the  general  con- 
trols environment  in  order  for  reliance  to  be  placed  on  them. 


Audit  Objectives 


The  objectives  of  our  EDP  audit  at  SRS  were  to  determine: 

1.  The  adequacy  of  general  controls  specific  to  the  mainframe 
computer  environment  over  TEAMS. 

2.  The  adequacy  of  application  controls  in  order  to  evaluate 
the  adequacy  and  accuracy  of  data  processed  and  main- 
tained by  TEAMS. 

3.  The  adequacy  of  application  controls  for  determining  client 
eligibility  in  accordance  with  federal  regulations. 


Audit  Scope 


The  audit  was  conducted  in  accordance  with  government  audit- 
ing standards.   We  measured  SRS's  general  and  application  con- 
trols against  criteria  established  by  the  American  Institute  of 
Certified  Public  Accountants  (AICPA),  General  Accounting 
Office  (GAO),  accepted  industry  EDP  guidelines,  and  federal 
regulations.   We  reviewed  SRS's  general  controls  related  to  the 
mainframe  computer  environment  which  processes  TEAMS.   We 
interviewed  SRS  personnel  to  gain  an  understanding  of  the  hard- 
ware and  software  environment.   We  also  reviewed  available 
documentation  relevant  to  TEAMS. 


We  conducted  an  application  control  review  of  TEAMS.   We 
reviewed  input,  processing,  and  output  controls  for  this  system 
to  ensure  the  system  is  meeting  its  objectives.   We  also 
determined  if  controls  over  data  are  effective,  as  well  as 
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adequate  to  ensure  the  accuracy  of  data  during  processing 
phases. 


Compliance 


We  determined  compliance  with  applicable  state  laws  and  federal 
regulations.   The  areas  tested  included  a  review  of  compliance 
with  data  processing  requirements  under  section  2-15-114, 
MCA,  which  include  written  policies  and  procedures  regarding 
security  for  all  data  and  information  technology  resources.   In 
addition,  we  tested  compliance  with  federal  regulations  estab- 
lished by  the  Departments  of  Agriculture  and  Health  and  Human 
Services  for  the  Food  Stamp,  Aid  to  Families  with  Dependent 
Children  (AFDC),  and  Medicaid  programs.   Except  as  discussed 
on  pages  9  and  13,  we  found  the  department  complied  with  state 
laws  and  federal  regulations. 


General  Background 


The  legislature  created  the  Department  of  Social  and  Rehabili- 
tation Services  (SRS)  as  a  multi-function  human  services  agency 
under  the  Executive  Reorganization  Act  of  1971.   SRS  provides 
assistance  to  qualified  individuals  or  families  through  programs 
such  as  Medical  Assistance,  Food  Stamp,  and  AFDC. 


SRS's  Family  Assistance  Division  employs  approximately  20 
individuals  who  manage  and  supervise  the  Medical  Assistance, 
Food  Stamp,  and  AFDC  programs.   These  programs  receive 
funds  from  the  federal  government  and  the  state  of  Montana. 
SRS  employees  administer  the  programs  at  counties  offices.   The 
division's  responsibility  for  the  assistance  programs  includes 
developing  policies  and  procedures  which  comply  with  state  and 
federal  laws  and  regulations.   The  programs'  objectives  are  as 
follows. 

Medical  Assistance  (Medicaid)  -  The  federal  Department  of 
Health  and  Human  Services  and  the  state  pay  vendors  for 
medical  care  provided  to  eligible  individuals  who  cannot  afford 
medical  services. 

AFDC  -  The  federal  Department  of  Health  and  Human  Services 
and  the  state  provide  cash  payments  to  needy  dependent  children 
and  their  families  or  relatives  with  whom  they  reside. 
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Food  Stamp  -  The  federal  Department  of  Agriculture,  through 
SRS  administration,  provides  coupons,  free  of  charge,  to  partici- 
pating households.    Recipients  exchange  these  coupons  for  food 
at  participating  grocery  stores. 

SRS  caseworkers  assist  individuals  applying  for  program  bene- 
fits.  Caseworkers  enter  client  information  to  TEAMS  from  a 
client  prepared  application.   Prior  to  implementing  TEAMS, 
caseworkers  determined  client  eligibility  and  calculated  program 
benefits  by  manually  comparing  client  information  to  federal 
regulations  and  eligibility  standards.   TEAMS  replaces  this 
manual  process  by  automatically  determining  client  eligibility 
and  calculating  benefits. 

With  300  microcomputers  installed  in  county  offices  statewide, 
TEAMS  calculates  program  benefits  for  over  70,000  participants 
and  provides  financial  information  for  federal  and  state  report- 
ing.   Over  600  department  and  county  employees  use  TEAMS 
on  a  daily  basis. 

TEAMS  operates  on  the  state's  mainframe  computer  maintained 
by  the  Department  of  Administration's  Information  Services 
Division  in  Helena.   Since  application  integrity  is  dependent 
upon  consistent  and  reliable  operation  of  the  mainframe  com- 
puter, we  audited  the  general  control  environment  as  it  relates  to 
TEAMS. 

SRS  began  TEAMS  development  in  March  1988  and  completed 
the  project  in  November  1991.   Originally  expected  to  cost  $12.8 
million,  TEAMS  was  completed  for  $10.4  million.   SRS  con- 
tracted with  BDM  Technologies  for  the  design,  development, 
implementation,  and  facilities  management  operation  of  TEAMS. 
Under  the  facilities  management  contract,  BDM  provides  sup- 
port of  all  computer  related  processing  functions  including 
software  development,  maintenance,  testing,  integration,  user 
training,  and  help  desk  services.   SRS  employs  a  TEAMS  project 
director  who  monitors  the  contract  and  serves  as  a  liaison 
between  the  department  and  BDM.   The  facilities  management 
contract  will  expire  in  August  1994.   However,  SRS  can  renew 
the  contract  for  two  additional  years. 
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Introduction 


General  controls  are  developed  by  the  computer  user  to  protect 
assets  and  limit  losses.   In  our  review  of  the  general  control 
environment  over  TEAMS  mainframe  computer  environment, 
we  found  organizational,  procedural,  hardware,  software,  system 
development,  and  physical  access  controls  existed  and  were 
adequate  to  provide  integrity  of  application  processing.   How- 
ever, we  noted  weaknesses  in  electronic  access  controls.   We 
discuss  these  issues  in  the  following  sections. 


Electronic  Access 
Controls 


Access  controls  provide  electronic  safeguards  designed  to  protect 
computer  system  resources.   Logon  IDs  and  passwords  control 
access  to  TEAMS  computer  programs  and  data.   System  and 
application  programmers  have  the  highest  degree  of  technical 
expertise  in  the  computer  facility  and,  therefore,  play  an  impor- 
tant role  in  maintaining  the  application.   However,  department 
managers  have  primary  responsibility  for  maintaining  adequate 
controls.   Without  controls,  computer  specialists  may  conceal 
changes  to  programs  and  data  for  personal  gain. 


Proper  access  controls  prevent  and  detect  deliberate  or  accidental 
errors  caused  by  improper  use  or  unauthorized  manipulation  of 
data,  programs,  and/or  computer  resources.   The  department's 
security  officer  writes  rules  which  limit  access  to  specific 
TEAMS  application  areas.   Assigning  limited  access  based  on  job 
duties  prevents  users  from  inadvertently  or  willfully  executing 
programs  or  changing  data  unrelated  to  their  job. 

SRS  uses  access  control  software  called  Access  Control  FaciIity-2 
(ACF2)  to  control  electronic  access  to  TEAMS  programs  and 
data  stored  on  the  mainframe  computer.   ACF2  controls  access 
through  electronic  rules  which  allow  or  prevent  user  access.   In 
addition,  the  department  controls  access  through  security  pro- 
grams within  TEAMS  which  control  access  to  specific  screens. 
We  reviewed  access  security  for  TEAMS  and  identified  areas 
where  the  department  should  improve  access  controls.   Our  find- 
ings are  discussed  in  the  following  sections. 
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SRS  Should  Restrict 
Access  to  Production  Pro- 
grams and  Data 


During  our  review  we  determined  Department  of  Administration 
programmers  and  TEAMS  programmers  have  unlogged  write 
access  to  TEAMS  production  programs  and  data.   Write  access 
allows  programmers  to  access  and  make  unauthorized  program 
changes  or  delete  entire  production  programs  and  data.   If 
unlogged,  there  is  no  record  of  programmer  access. 


Industry  standards  state  programmers  do  not  need  access  to 
system  or  application  libraries  which  would  provide  a  means  of 
bypassing  controls.   Their  activities  should  be  restricted  to  test 
programs  and  files,  with  access  only  to  those  programs  and  files 
needed  for  a  given  assignment.   If  a  programmer  is  allowed 
access  to  production  programs  or  data,  the  access  should  be 
logged  and  closely  monitored. 

Access  to  production  programs  and  data  could  allow  program- 
mers to  add  fictitious  payments  and  disguise  program  changes. 
The  potential  exists  for  unauthorized  or  untraceable  manipula- 
tions of  critical  information.  For  example,  programmers  could 
change  programs  and  data  to  issue  AFDC  benefits  to  fictitious 
persons. 

A  department  employee  indicated  security  rules  were  written  by 
a  former  security  officer.   The  employee  could  not  explain  why 
the  security  rules  allow  unlogged  programmer  access.   Unless 
activity  is  logged,  the  security  officer  reviewing  ACF2  reports 
does  not  know  when  programs  are  accessed. 


Recommendation  #1 

We  recommend  the  department: 

A.  Restrict  access  to  production  programs  and  data. 

B.  Log  and  closely  monitor  programmer  access  to  pro- 
duction programs  and  data. 
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User  Access  Should  Agree  We  found  678  SRS  and  BDM  Technologies  employees  with  access 

to  Job  Needs  to  TEAMS.   The  department  assigns  employee  access  to  various 

on-line  screens  depending  upon  the  employee  position  descrip- 
tion.  The  access  allows  users  to  view  or  change  on-line  screen 
information.   For  example,  caseworkers  review  and  update 
previously  reported  client  income  and  expenses  during  monthly 
client  interviews. 

We  reviewed  access  privileges  for  20  users  and  found  1 1  users 
with  inappropriate  access  which  allows  them  to  issue  replace- 
ment food  stamps.   These  employees  could  accidentally  or  delib- 
erately issue  unauthorized  Food  Stamp  benefits  to  participating 
applicants  or  fictitious  individuals.    In  addition,  2  of  the  20 
employees  tested  have  access  privileges  inconsistent  with  their 
current  job  duties.   These  employees  were  provided  access  which 
allows  them  to  authorize  program  benefits  to  participating 
clients.   The  employees  stated  they  use  TEAMS  to  view  informa- 
tion and  do  not  authorize  benefits.   We  determined  access  for 
these  two  employees  was  set  up  during  TEAMS  development. 

Industry  standards  recommend  management  limit  user  access  to 
data  files  required  to  process  or  maintain  particular  applications 
in  the  performance  of  their  duties.   Because  of  access  concerns 
we  identified,  a  person  could  inappropriately  or  accidentally 
issue  replacement  food  stamps,  view  confidential  information,  or 
make  unauthorized  changes. 

To  improve  access  controls,  we  believe  the  department  should 
establish  access  review  procedures.   For  example,  the  department 
could  require  department  supervisors  to  review  current  employ- 
ees' access  levels  to  determine  if  access  rights  granted  are 
reasonable.   We  believe  access  review  procedures  performed 
every  three  to  six  months  would  prevent  the  access  problems  we 
noted. 

We  informed  the  department  of  our  audit  findings.   Department 
officials  were  not  aware  TEAMS  users  could  issue  replacement 
food  stamps  but  stated  they  have  taken  corrective  action.   In 
addition,  the  department  stated  they  would  establish  procedures 
to  agree  employee  access  to  current  position  duties. 
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Recommendation  #2 

We  recommend  the  department  establish  access  control 
procedures  which  require  department  supervisors  to  review 
access  rights  and  determine  if  access  corresponds  to 
employee  job  responsibilities. 


Independent  Review  of  ACF2  software  provides  a  daily  report  of  logged  user  access  to 

ACF2  Reports  TEAMS  programs  and  data.    In  addition,  agencies  receive  a 

violation  report  which  lists  all  unauthorized  users  who  attempted 
to  electronically  access  agency  files.   The  department  security 
officer  reviews  these  ACF2  reports  to  monitor  who  accesses 
which  program  libraries  and  to  determine  whether  access  is 
authorized.   We  determined  the  department's  security  officer  is 
the  only  individual  who  reviews  ACF2  violation  reports. 

The  security  officer  has  unlimited  access  to  software  and  data 
files.   A  security  officer  can  access,  change,  or  delete  programs 
and  data  without  detection.   An  individual  outside  of  the 
security  and  data  processing  environment  should  review  ACF2 
reports  in  addition  to  the  security  officer.   An  independent 
review  provides  more  effective  access  control  by  reviewing 
access  violations,  programmer  activity,  and  changes  to  security. 

Without  an  independent  review,  the  potential  exists  for  inappro- 
priate access  and  unauthorized  changes  to  TEAMS  data  and  pro- 
grams.  We  discussed  our  finding  with  department  officials.   The 
officials  were  not  aware  potential  control  weaknesses  exist  but 
have  agreed  to  perform  independent  reviews  of  ACF2  reports. 
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Recommendation  #3 

We  recommend  the  department  establish  procedures  for  an 
independent  review  of  ACF2  reports. 


Internal  Evaluations  of  We  determined  the  department  has  not  established  a  formal 

Security  policy  to  perform  internal  evaluations  of  security  in  accordance 

with  state  law.   Section  2-15-114,  MCA,  requires  department 
heads  to  be  ".  .  .  responsible  for  assuring  an  adequate  level  of 
security  for  all  data  and  information  technology  resources  within 
his  department  and  shall  ...  (4)  ensure  internal  evaluations  of 
the  security  program  for  data  and  information  technology 
resources  are  conducted." 

The  department  should  establish  policies  and  procedures  which 
address  safeguarding  data  and  information  technology  resources 
including  microcomputer  policies  and  program  documentation. 
These  procedures  include,  but  are  not  limited  to,  the  following: 

1.  Conduct  and  periodically  update  a  comprehensive  risk 
analysis  to  determine  security  threats  to  data  and  infor- 
mation resources. 

2.  Develop  and  periodically  update  written  policies  and  pro- 
cedures which  provide  security  over  data  and  information 
resources. 

3.  Implement  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  risks  to  data  and 
information  resources. 

4.  Perform  periodic  internal  audits  and  evaluations  of  the 
security  program  for  data  and  information  resources. 

We  believe  the  electronic  access  control  issues  discussed  on 
pages  6  through  8  resulted  because  the  department  does  not  have 
formal  policies  and  procedures  for  internal  evaluations  of 
security.   Department  personnel  indicated  they  were  not  aware 
of  the  state  law. 
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Recommendation  #4 

We  recommend  the  department  develop  formal  policies  and 
procedures  for  internal  evaluations  of  security  in  accor- 
dance with  state  law. 
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Introduction  TEAMS  is  an  on-line  application  which  maintains  client  infor- 

mation and  determines  client  eligibility  for  the  AFDC,  Food 
Stamp,  and  Medicaid  programs.   Because  TEAMS  is  an  on-line 
application,  it  determines  client  eligibility  and  calculates  Food 
Stamp  and  AFDC  benefits  during  the  client  interview.   TEAMS 
also  determines  client  eligibility  for  Medicaid  and  reports 
eligibility  information  to  a  service  center  which  processes 
Medicaid  claims.   Individuals  apply  for  assistance  at  local  county 
human  services  departments  throughout  Montana. 

SRS's  Family  Assistance  Division  manages  and  supervises  the 
Food  Stamp,  AFDC,  and  Medicaid  programs.   The  division's 
responsibilities  include  developing  policies  and  procedures  which 
comply  with  state  and  federal  laws  and  regulations.   The  division 
also  supervises  the  implementation  of  these  programs  at  the 
counties.   SRS  employees  at  the  counties  administer  the  pro- 
grams. 

The  Food  Stamp,  AFDC,  and  Medicaid  programs  are  defined  by 
the  federal  government  as  major  federal  financial  assistance  to 
the  state  of  Montana.   Programs  are  defined  as  major  if  annual 
federal  assistance  expenditures  exceed  $3  million.   The  federal 
Departments  of  Health  and  Human  Services,  and  Agriculture 
reviewed  and  certified  the  TEAMS  application  upon  completion 
of  system  development. 

We  performed  an  application  review  of  TEAMS.   During  our 
review,  we  examined  the  existing  input,  processing,  and  output 
controls.   Overall,  we  concluded  the  controls  over  TEAMS  are 
adequate  to  determine  client  eligibility  and  calculate  benefits  in 
accordance  with  federal  regulations.   However,  we  found  areas 
where  the  controls  should  be  improved  over  the  security  and 
integrity  of  TEAMS  data.   This  chapter  summarizes  our  review 
of  TEAMS. 
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Input  Procedures 


Caseworkers  at  county  offices  throughout  Montana  interview 
and  assist  clients  applying  for  Medicaid,  Food  Stamp,  and  AFDC 
benefits.   The  caseworkers  enter  information  to  TEAMS  from 
client  prepared  applications.   When  the  caseworker  has  entered 
data  to  TEAMS,  the  computer  application  automatically  deter- 
mines client  eligibility  and  calculates  benefits. 


TEAMS  compares  client  financial  resources,  living  expenses,  and 
family  situation  to  federal  eligibility  standards.   TEAMS  deter- 
mines if  applicants  meet  eligibility  standards  and  calculates 
benefit  payments  clients  should  receive.    For  TEAMS  to  properly 
determine  eligibility  and  calculate  benefits,  caseworkers  must 
enter  all  client  information  to  TEAMS  accurately. 

Input  controls  are  designed  to  ensure  accuracy  and  completeness 
of  data  entered  to  computer  applications.   These  include  controls 
built  within  an  application  and  outside  controls  implemented  by 
management.   For  example,  help  screens  guide  caseworkers 
through  various  data  entry  procedures.   In  addition,  TEAMS 
includes  controls  designed  to  detect  inaccurate  or  unreasonable 
data  input.   However,  as  discussed  below,  we  found  management 
could  implement  additional  controls  to  improve  completeness 
and  accuracy  of  information  input  to  TEAMS. 

We  reviewed  58  client  files  for  each  federal  program  to  test 
whether  TEAMS  properly  determined  client  eligibility  and 
calculated  benefits  in  accordance  with  federal  regulations.   We 
found  TEAMS  properly  determines  eligibility  and  accurately 
calculates  benefits  based  on  the  information  entered  from  the 
application.   However,  we  identified  several  instances  where 
caseworkers  overlooked  applicant  information  or  incorrectly 
entered  the  information  to  TEAMS.   These  issues  are  summa- 
rized below. 
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Data  Accuracy 


TEAMS  is  designed  to  accurately  determine  client  eligibility  and 
calculate  benefits  for  the  AFDC,  Food  Stamp,  and  Medicaid 
programs.   To  meet  this  objective,  client  data  entered  on 
TEAMS  must  be  accurate.    As  discussed  in  the  following 
sections,  we  found  instances  where  SRS  could  improve  data 
accuracy. 


Incorrect  Expenditure 
Allowances  Caused 
Improper  Benefit  Awards 


TEAMS  evaluates  client  living  expenses  to  calculate  the  amount 
of  Food  Stamp  coupons  clients  should  receive.    Federal  regula- 
tions for  the  Food  Stamp  program  define  specific  expenditure 
allowances.  These  allowances  represent  the  maximum  living 
expenses  which  are  deducted  from  monthly  income  to  determine 
need.   For  example,  federal  regulations  limit  the  shelter  allow- 
ance to  $194.   If  a  client  pays  $244  a  month  for  rent,  only 
expenses  up  to  $194  are  considered  when  determining  eligibility. 
We  found  several  instances  where  the  caseworkers  entered  incor- 
rect expenditure  allowances  to  TEAMS.   Two  of  these  errors 
caused  improper  benefit  awards  to  Food  Stamp  clients. 


Federal  regulations  allow  disabled  clients  to  claim  actual  monthly 
housing  costs  incurred,  even  if  costs  exceed  the  maximum  shelter 
allowance.   We  determined  a  disable  client  received  the  maxi- 
mum shelter  deduction  when  his  actual  housing  costs  were  more. 
As  a  result,  the  client  was  underawarded  Food  Stamp  benefits  by 
$2.56.   The  caseworker  could  not  explain  why  this  error  occurred 
but  corrected  the  error  after  we  brought  it  to  the  caseworker's 
attention. 

In  the  other  instance,  we  determined  a  caseworker  entered  the 
standard  utility  allowance  for  a  Food  Stamp  client  who  was  not 
eligible  for  the  allowance.   Federal  regulations  allow  a  standard 
utility  allowance  of  $225  per  month  for  clients  who  incur  utility 
expenses  separate  from  rent  or  mortgage  expenses.   If  the  client 
participates  in  the  Low  Income  Energy  Assistance  Program 
(LIEAP),  they  are  automatically  entitled  to  receive  the  standard 
utility  allowance.   This  client  had  participated  in  LIEAP  prior  to 
the  month  tested.   However,  we  determined  the  client  was  no 
longer  participating  in  LIEAP  and  therefore  not  eligible  for  the 
utility  allowance  and  utility  expenses  were  overstated.   Because 
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TEAMS  Information  did 
not  Agree  to  Application 


the  caseworker  overstated  utility  expenses,  the  client  received 
excess  Food  Stamp  benefits  of  $60.   The  caseworker  did  not 
realize  the  client  no  longer  participated  in  the  LIEAP  program. 
The  caseworker  did  not  correct  this  error  after  we  brought  it  to 
the  caseworker's  attention.   We  question  the  allowability  of  $60 
charged  to  the  Food  Stamp  program  (CFDA  #10.551). 

We  compared  the  information  on  the  client  application  to  data 
input  on  TEAMS.   Of  the  58  case  files  for  each  program,  we 
found  the  following  instances  where  information  did  not  agree. 


1.  Seven  Medicaid  cases  contained  incorrect  vehicle  year,  date 
of  birth,  and/or  marital  status. 

2.  Eight  AFDC  cases  contained  incorrect  Indian  enrollment, 
social  security  numbers,  date  of  birth,  and/or  asset  values. 

3.  Three  Food  Stamp  cases  included  incorrect  marital  status, 
income  type,  and/or  eligibility  start  date. 

Industry  standards  suggest  management  implement  effective 
input  controls  to  prevent  inaccurate  data  entry  to  computer 
applications.   Although  these  errors  did  not  affect  eligibility  or 
benefits,  the  potential  exists  that  such  errors  could  cause 
incorrect  determination  of  eligibility  and  benefit  payments. 
Caseworkers  could  not  explain  why  these  errors  occurred. 


Client  Resources  not 
Included  on  TEAMS 


We  found  four  Medicaid  cases  where  caseworkers  did  not 
include  client  vehicles  on  TEAMS.   Federal  regulations  allow 
Medicaid  applicants  to  exclude  one  vehicle  from  financial 
resources  if  the  vehicle  is  required  for  employment  or  regular 
medical  treatment,  serves  as  handicap  transportation,  or  is 
needed  to  perform  essential  daily  activities.   If  the  vehicle  does 
not  meet  this  criteria,  federal  regulations  require  the  fair  market 
value  in  excess  of  $4,500  be  included  as  a  resource  to  determine 
Medicaid  eligibility.   Unless  all  vehicles  are  included  on 
TEAMS,  more  than  one  vehicle  could  be  exempted  from 
resources  causing  improper  determination  of  Medicaid  eligibil- 
ity. 
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In  another  instance,  we  found  TEAMS  did  not  include  all  client 
bank  accounts  for  a  Food  Stamp  case.    Although  this  error  did 
not  affect  financial  eligibility,  excluding  bank  accounts  from 
TEAMS  could  cause  excess  Food  Stamp  benefit  awards. 

Industry  standards  suggest  management  implement  effective 
input  controls  to  provide  completeness  of  data  entered  to  com- 
puter applications.   Caseworkers  indicated  these  errors  were  an 
oversight  and/or  they  did  not  enter  information  to  TEAMS 
because  it  did  not  affect  eligibility.  Caseworkers  should  include 
all  client  information  and  rely  on  TEAMS  to  properly  determine 
eligibility  and  calculate  benefits. 

Summary  Based  on  our  findings,  we  believe  the  department  should  imple- 

ment additional  input  controls  to  provide  complete  and  accurate 
client  information.   We  found  situations  where  caseworkers 
entered  improper  expenditure  allowances  and  incorrect  informa- 
tion.  In  addition,  we  found  caseworkers  did  not  enter  all  client 
information.   These  errors  occurred  because  caseworkers  over- 
looked client  information  or  determined  the  information  was  not 
necessary  to  include  on  TEAMS.   As  discussed  on  page  14,  we 
found  errors  which  caused  improper  Food  Stamp  benefit  awards. 
While  most  errors  did  not  affect  eligibility  or  benefits,  these 
errors  could  cause  improper  AFDC,  Food  Stamp,  or  Medicaid 
awards. 

The  department's  Audit  and  Compliance  Bureau  randomly 
selects  case  files  for  review.   The  review  objective  is  to  identify 
cases  where  eligibility  or  benefit  awards  were  improperly  deter- 
mined.  We  found  the  Audit  and  Compliance  Bureau  reports 
instances  of  incomplete  or  inaccurate  data  entry  on  TEAMS  to 
county  offices  but  does  not  determine  if  counties  corrected  the 
errors.   Even  though  eligibility  and  benefits  were  proper  during 
case  review,  incomplete  or  inaccurate  client  information  could 
cause  improper  awards  in  future  benefit  periods.    For  example, 
if  client  information  or  federal  regulations  change,  incomplete  or 
inaccurate  client  data  could  cause  improper  benefit  awards.   We 
believe  the  department  should  establish  procedures  to  determine 
if  county  offices  correct  all  reported  instances  of  incomplete  or 
inaccurate  data  entry  on  TEAMS.   In  addition,  county  office 
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supervisors  could  randomly  review  cases  to  determine  if  case- 
workers entered  information  accurately  and  completely  on 
TEAMS. 


Recommendation  #5 

We  recommend  the  department  establish  procedures  to: 

A.  Provide  complete  and  accurate  client  information  on 
TEAMS. 

B.  Correct  all  reported  instances  of  inaccurate  and/or 
incomplete  client  information  on  TEAMS. 


Verification  Procedures 


Caseworkers  enter  verification  codes  to  TEAMS  which  document 
if  they  visually  verified  client  information,  accepted  client  state- 
ment, or  if  they  obtained  hard  copy  documentation.   Although 
caseworkers  receive  training  to  operate  TEAMS,  we  determined 
the  department  has  not  provided  clear  guidelines  for  proper  use 
of  verification  codes.   We  found  caseworkers  follow  inconsistent 
procedures  for  verification  codes.   We  also  determined  different 
counties  follow  different  procedures  for  documenting  informa- 
tion in  client  case  files.   For  example,  some  county  caseworkers 
obtain  and  file  all  hard  copy  verified  information  while  others 
use  the  hard  copy  verification  code  to  indicate  they  only 
reviewed  documentation. 


Federal  regulations  do  not  specifically  require  hard  copy  docu- 
mentation for  AFDC  and  Medicaid  eligibility  determination. 
However,  federal  regulations  for  the  Food  Stamp  program  state 
"Documentation  must  be  in  sufficient  detail  to  permit  a  reviewer 
to  determine  the  reasonableness  and  accuracy  of  eligibility 
determination."   In  addition,  EDP  guidelines  suggest  manage- 
ment establish  training  procedures  and  user  documentation 
which  provides  for  proper  data  input  to  computer  applications. 
Although  SRS  has  an  established  training  program  and  user 
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manuals,  we  believe  the  department  should  provide  clear 
instructions  for  verification  codes. 

We  found  instances  where  caseworkers  entered  the  hard  copy 
verification  code  but  did  not  verify  client  savings  accounts  or 
include  supporting  documentation  for  client  resources  or 
expenses  in  the  case  files.   Because  the  caseworkers  did  not 
obtain  documentation  for  the  client  accounts,  we  could  not  deter- 
mine if  these  clients  were  properly  determined  eligible  for 
AFDC  or  Food  Stamp  benefits.   Caseworkers  stated  they  acci- 
dently  entered  the  wrong  verification  code. 

Department  officials  indicated  TEAMS  was  designed  to  reduce 
paperwork  so  they  established  the  visual  verification  code. 
However,  instructions  for  verification  code  use  would  improve 
caseworker  efficiency  and  provide  consistent  documentation 
procedures  for  client  information. 


Recommendation  #6 

We  recommend  the  department  establish  additional 
instructions  which  address  use  of  verification  codes. 


Additional  Input  Edits  TEAMS  primary  method  of  providing  data  integrity  is  through 

Required  application  validity  edits.   Application  edits  are  designed  to 

compare  input  data  to  preestablished  limits  and  reasonableness 
tests.   TEAMS  edits  include  alpha  and  numeric  checks  to  ensure 
data  input  is  reasonable.   We  reviewed  application  edits  to 
determine  if  edits  provide  integrity  of  information  processed  by 
TEAMS.   Overall,  we  determined  existing  edits  operate  as 
intended.    However,  we  determined  SRS  should  create  additional 
edits  to  further  enhance  the  integrity  of  TEAMS  data. 
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1.  Food  Stamp  recipients  may  request  replacement  for  lost, 
damaged,  or  undelivered  Food  Stamp  coupons.    Federal 
regulations  limit  replacement  food  stamps  to  twice  in  a  six 
month  period,  for  each  cause,  if  originally  issued  food 
stamps  are  not  returned.   An  edit  does  not  exist  to  prevent 
replacement  food  stamps  more  than  twice  within  six 
months.   Recipients  could  claim  to  have  lost  food  stamps 
and  inappropriately  receive  replacement  coupons.   We 
believe  the  department  should  consider  an  edit  to  verify 
that  lost,  damaged,  or  undelivered  Food  Stamp  coupons 
were  not  previously  replaced  twice  within  six  months 
before  allowing  additional  replacements. 

2.  Federal  regulations  require  AFDC  applicants,  under  age  60, 
to  register  for  work.   Caseworkers  enter  a  code  which 
designates  clients,  age  60  or  older,  exempt  from  work 
registration  due  to  age.    We  determined  TEAMS  does  not 
check  the  exemption  code  against  the  client's  date  of  birth. 
A  client  could  be  improperly  exempted  from  work  registra- 
tion and  still  receive  AFDC  benefits.   SRS  could  add  an  edit 
which  determines  if  the  client  is  not  age  60  or  older  and 
prevents  improper  use  of  the  exemption  code. 

3.  Federal  regulations  allow  a  client  to  be  classified  as  auto- 
matically eligible  to  receive  food  stamps  if  all  household 
members  are  authorized  to  receive  general  assistance, 
supplemental  security  income,  or  AFDC  benefits.   Case- 
workers enter  a  code  to  TEAMS  which  designates  these 
individuals  as  eligible  to  receive  food  stamps.   We  deter- 
mined a  caseworker  entered  the  code  for  a  client  even 
though  the  client  was  not  authorized  to  receive  general 
assistance.  Social  Security  income,  or  AFDC  benefits.   The 
department  should  develop  an  edit  which  verifies  reason- 
ableness of  the  eligibility  code.   Department  officials  indi- 
cated they  are  working  to  correct  this  problem. 

Based  on  our  testing,  we  determined  overall  edits  function 
effectively  to  maintain  integrity  of  information  produced  by 
TEAMS.   However,  as  noted  above,  the  department  could  create 
additional  edits  to  prevent  improper  benefit  awards. 
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Other  Controls 


Recommendation  #7 

We  recooimend  the  department  establish  additional  edits, 
as  determined  necessary,  to  prevent  improper  eligibility 
determination  and  benefit  awards. 


Additional  Controls  Over 
Interfaces  Required 


TEAMS  shares  information  with  the  Social  Security  Adminis- 
tration and  state  of  Montana  Department  of  Labor  and  Industry 
for  verification  of  applicant  social  security  numbers  and  income, 
respectively.   The  information  is  transferred  to  TEAMS  by  elec- 
tronic file  and  computer  tapes.    In  addition,  the  department 
provides  a  third-party  contractor  with  a  computer  tape  of  eligi- 
ble Medicaid  client  information  for  processing  medical  claims. 
We  determined  the  department  should  improve  procedures  to 
properly  transfer  shared  information  between  TEAMS  and  other 
computer  applications. 


Industry  standards  suggest  movement  of  data  between  computer 
applications  should  be  controlled.   Such  control  should  be 
established  to  preclude  lost,  added,  or  altered  data.   The  depart- 
ment could  use  control  totals  to  compare  total  records  transferred 
between  systems  and  determine  if  all  records  completely  trans- 
ferred.  Incomplete  social  security  number  and  wage  verification 
data  could  allow  improper  eligibility  determination  and  benefit 
awards.   In  addition,  Medicaid  records  could  be  incomplete  or 
incorrectly  report  medical  assistance  eligibility. 

A  BDM  employee  indicated  the  federal  government  could  pro- 
vide record  totals  with  their  computer  tapes.   The  employee  also 
indicated  BDM  does  not  use  control  totals  for  other  information 
transferred  between  TEAMS  and  other  computer  applications. 
SRS  could  implement  additional  input  controls  to  ensure  shared 
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information  is  completely  transferred  between  TEAMS  and  other 
computer  applications. 


Recommendation  #8 

We  recommend  the  department  evaluate  and/or  modify 
procedures  to  ensure  shared  information  is  completely 
transferred  between  TEAMS  and  other  computer  appli- 
cations. 


All  Table  Changes  Should 
be  Authorized  and 
Approved 


Family  Assistance  Division  establishes  program  policy  for 
AFDC,  Medicaid,  and  Food  Stamp  programs  in  accordance  with 
federal  regulations.    Program  policy  is  incorporated  within  the 
TEAMS  application  through  various  tables.   TEAMS  processes 
client  information  against  table  benefit  standards  and  income 
limits  to  determination  client  eligibility  in  accordance  with 
federal  regulations.   For  example,  a  caseworker  enters  client 
income  and  household  size.   TEAMS  compares  this  information 
to  state  and  federal  standards  included  in  the  tables  and  auto- 
matically determines  the  authorized  Food  Stamp  award.   The 
Food  Stamp  benefit  is  electronically  added  to  the  benefit  screen. 


We  determined  the  department  should  establish  additional  proce- 
dures to  authorize  and  approve  all  table  changes.   Currently,  a 
department  employee  identifies  and  reports  required  table 
changes  to  the  Family  Assistance  Division.   When  the  employee 
completes  table  changes,  the  employee  forwards  the  changes  to 
BDM  personnel  who  review,  test,  and  implement  the  table 
change.    Because  BDM  implements  the  change  prior  to  SRS  man- 
agement approval,  all  table  changes  which  affect  policy  and 
program  compliance  may  not  be  authorized  by  the  Family  Assis- 
tance Division.   As  a  result,  unintentional  and  unauthorized 
changes  could  be  made  to  system  tables  which  could  cause 
improper  eligibility  determination  and/or  benefits. 
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Industry  standards  suggest  all  table  changes  be  authorized  by 
management.   SRS  should  implement  controls  to  monitor  and 
review  all  table  changes.   SRS  could  require  BDM  to  receive 
approval  from  department  management  prior  to  implementing 
table  changes. 

A  Family  Assistance  Division  official  believes  all  problem 
reports  are  forwarded  to  the  department  for  review.   However, 
current  procedures  could  allow  some  problem  reports  to  pass 
through  the  process  without  SRS  authorization. 


Recommendation  #9 

We  recommend  the  department  establish  procedures  to 
review  and  authorize  all  table  changes. 


Conclusion  We  determined  TEAMS  properly  calculates  client  eligibility  and 

benefits  for  Medicaid,  Food  Stamp,  and  AFDC  programs.   We 
believe  the  application  meets  its  established  objectives  and  is 
operating  as  it  was  intended.   However,  we  noted  concerns 
regarding  data  input  to  TEAMS.   Although  we  found  only  two 
instances  where  benefits  were  affected  by  data  entry  errors,  we 
found  numerous  data  entry  errors.   We  believe  the  potential  for 
inappropriate  benefit  distribution  exists.   By  addressing  these 
concerns  and  improving  data  entry  controls,  database  accuracy 
would  be  improved. 


Page  21 


Agency  Response 


Page  23 


MARC  RACICOT 


DEPARTMENT  OF 
SOCIAL  AND  REHABILITATION  SERVICES 


PETER  S    BLOUKE.  PhD 
DIRECTOR 


STATE  OF  MONTANA' 


P  O.  BOX  4210 
HELENA,  MONTANA  S9604-4210 


June  3,  1993 


Mr.  Scott  Seacat 

Office  of  the  Legislative  Auditor 

State  Capitol 

Helena,  MT   59620 

Dear  Mr.  Seacat: 

Attached  are  the  department  •  s  responses  to  the  EDP  audit  of  The 
Economic  Assistance  Management  System  (TEAMS) .  It  is  reassuring  to 
hear  from  you  that  the  TEAMS  application  meets  its  established 
objectives  and  is  operating  as  it  was  intended. 

I  would  like  to  thank  Mary  Bryson,  Jill  Olson,  Rich  McRae  and  the 
members  of  the  audit  team.  The  review  was  thorough  and  conducted 
in  a  very  professional  manner.  I  appreciate  the  constructive 
recommendations  and  will  ensure  that  steps  are  taken  to  continue  to 
improve  the  efficiency  and  effectiveness  of  TEAMS. 

Sincerely, 


Michael  G.  Billimgs, 


Director 
Office  of  Managifement  Analysis  &  Systems 

CC:   Peter  Blouke,  Director,  SRS 

Marilyn  Carlin,  TEAMS  Project  Director 

Penny  Robbe,  Chief,  Program  and  Policy  Bureau 

Roger  LaVoie,  Administrator,  Family  Assistance  Division 

Teri  Lundberg,  Chief,  Microcomputer  Technology  Center 

Rich  McRae,  Senior  EDP  Auditor 
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-HH  EQUAL  OPPORTUNITY  EMPLOYER' 


Recommendation  #1  (page  7) 

A.  Restrict  access  to  production  programs  and  data. 

Response:  Agree. 

A  complete  review  of  security  classes  and  dataset  rules  for 
TEAMS  programmers  was  made  in  March  during  the  audit. 
Access  levels  were  modified  as  a  result  of  the  review.  Reviews 
will  be  done  every  six  months  by  the  security  officer. 

B.  Log  and  closely  monitor  programmer  access  to  production  programs 
and  data. 

Response:  Agree. 

Rules  for  TEAMS  datasets  for  programmers  have  been  changed 
so  that  access  is  logged  and  will  be  monitored  by  the  security 
officer. 

Recommendation  #2  (page  9) 

We  recommend  the  department  establish  access  control  procedures 
which  require  department  supervisors  to  review  access  rights  and 
determine  if  access  corresponds  to  employee  job  responsibilities. 

Response:  Agree. 

The  SRS  Security  Task  Force  is  currently  working  on 
establishing  access  review  procedures. 

In  regard  to  the  users  who  had  inappropriate  access  which 
allowed  them  to  issue  replacement  food  stamps,  this  was  an 
error  in  programming  which  has  been  corrected. 
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We  do  not  agree  with  the  statement  on  page  8  that  two  users 
had  access  which  allowed  them  to  authorize  program  benefits. 
These  users  did  not  have  a  caseload  number  which  is  needed 
in  order  to  authorize  benefits.  Therefore,  benefits  could  not  have 
been  issued. 

As  directed  by  the  Administrator  of  Family  Assistance  Division, 
the  security  class  description  for  these  users  was  eliminated  and 
they  were  given  the  same  access  as  other  Family  Assistance 
staff. 

Recommendation  #3  (page  10) 

We  recommend  the  department  establish  procedure  for  an 
independent  review  of  ACF2  reports. 

Response:  Agree. 

An  individual  who  does  not  work  for  the  SRS 
Microcomputer  Technology  Center  and  is  familiar  with 
ACF2  has  been  assigned  to  review  ACF2  reports. 

Recommendation  #4  (page  11) 

We  recommend  the  department  develop  formal  policies  and 
procedures  for  internal  evaluations  of  security  in  accordance  with  state 
law. 

Response:  Agree. 

The  SRS  Security  Task  Force  is  currently  working  on 
developing  policies  and  procedures  for  internal 
evaluations  of  security.  A  draft  policy  will  be  submitted  to 
the  department  director  by  July  1,  1993. 
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Recommendation  #5  (page  17) 

We  recommend  the  department  establish  procedures  to: 

A.  Provide  Complete  and  accurate  client  information  on  TEAMS. 

B.  Correct  all  reported  instances  of  inaccurate  and/or  incomplete 
client  information  on  TEAMS. 

Response: 

A.  Agree. 

Caseworkers  will  be  reminded  that  all  information  is  to  be  entered  into 
TEAMS. 

B.  Agree. 

When  Quality  Control  reviews  indicate  inaccurate  or  missing  data,  the 
county  will  be  reminded  to  correct  or  enter  that  data  on  TEAMS. 

Recommendation  #6  (page  18) 

We  recommend  the  department  establish  additional  instructions  which 
address  use  of  verification  codes. 

Response:   Agree. 

The  Department  sent  additional  instructions  to  the  field  on  April  9, 
1993  regarding  the  proper  use  of  verification  codes. 

Recommendation  #7  (page  20) 

We  recommend  the  department  establish  additional  edits,  as 
determined  necessary,  to  prevent  improper  eligibility  determination 
and  benefit  awards. 

Response:   Partially  agree. 
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The  Department  does  believe  that  additional  edits  are  sometimes 
necessary  to  maintain  the  integrity  of  the  system.  There  is  currently 
a  process  in  place  to  evaluate  the  efficiency  and  cost-effectiveness  of 
additional  edits.  This  process  operates  through  the  TEAMS  Change 
Control  Committee,  a  group  of  department  representatives  responsible 
for  the  approval  and  prioritization  of  all  TEAMS  enhancement 
requests. 

Finding  1: 

The  Department  does  not  concur  that  edits  for  Food  Stamp  replace- 
ments are  appropriate  at  this  time.  A  system  edit  preventing  addition- 
al replacements  would  be  difficult  or  impractical  to  impose  considering 
the  complicated  regulations  and  time  frames  for  making  various  types 
of  replacements. 

However,  the  Department  will  consider  having  a  report  developed 
which  would  report  those  cases  where  three  or  more  replacement  (not 
having  an  RT  status  in  the  Food  Stamp  Issuance  History)  have 
occurred  for  each  replacement  reason  within  a  six  month  period. 

Finding  2: 

The  Department  concurs  that  there  is  no  edit  to  prevent  improper  use 
of  an  exemption  code  for  AFDC  recipients.  A  redesign  of  the  work 
registration  screen  for  AFDC  (WORA)  is  anticipated  within  the  current 
biennium. 

Finding  3: 

The  Department  concurs  that  an  edit  which  allows  certain  households 
to  be  determined  as  automatically  eligible  (categorically  eligible)  is 
necessary.   This  edit  was  implemented  in  May  1 993. 

Recommendation  #8  (page  21) 

We  recommend  the  department  evaluate  and/or  modify  procedures  to 
ensure  shared  information  is  completely  transferred  between  TEAMS 
and  other  computer  applications, 

29 


Response:   Agree. 

The  most  critical  TEAMS  interfaces,  such  as  SBAS,  SAWWS,  and 
SSDC  (food  stamp  issuance  contractor)  currently  have  record  and 
amount  control  totals. 

While  we  agree  that  control  totals  are  a  standard  concept  for  most 
interfaces,  in  order  to  be  effective  both  the  sending  and  receiving 
systems  must  implement  them.  Consequently,  the  ability  to  imple- 
ment such  controls  are  dependent  on  the  willingness  of  the  receiving 
parties  to  alter  their  systems  to  provide  them.  An  enhancement 
request  to  add  control  totals  on  all  TEAMS  interfaces  has  been 
submitted  to  the  Change  Control  Committee  for  prioritization. 

Recommendation  #9  (page  22) 

We  recommend  the  department  establish  procedures  to  review  and 
authorize  all  table  changes. 

Response:   Agree. 

Generally,  table  changes  are  made  at  the  written  request  of  the 
department.  In  instances  where  a  written  request  for  a  table  change 
has  not  been  initiated  by  the  requestor,  the  department  will  require  a 
written  authorization  which  will  be  attached  to  the  problem  report. 
Completed  table  changes  will  be  reviewed  by  appropriate  department 
personnel  prior  to  implementation. 


30 


